Data Privacy Detective | Episode 60 - Cyber Insurance: What it Does and Doesn’t Cover

As businesses move into 2021, what insurance can they have to limit cyber risk? What does cyber insurance cover and not cover? How is it priced and secured?

Data Privacy Detective guest Sean McGee is a Vice President of USI Insurance Services, an independent company serving global clientele and accessing global insurance markets. www.usi.com / Sean.McGee@usi.com . Also an Ohio and Kentucky attorney, at USI Sean advises customers on a broad array of business risks, including those arising from personal data collection and use.

Cyber insurance emerged in 1997. Insurance Journal reported 2019 premiums of over $2.2 billion, spread among a competitive range of providers, with growth anticipated in number of policies, variety of risks covered, and premiums. As one example, the average payment for ransomware attacks jumped to almost $85,000 by year-end 2019, almost double the prior year’s average, triggering an adjustment of price for covering this type of risk.

Cyber insurance pricing is competitive. It depends on a company’s responses to questionnaires that can be 20 pages in length and interviews with CIO’s and others. Underwriters assess the strength and scope of an applicant’s cyber protection program before quoting a premium.

A solid cyber policy will generally cover direct costs resulting from a data breach or incident. These include attorney fees and other costs of defense, resolution of private and public claims, expenses to recover purloined data, business interruption (subject to defined caps and other details), and similar out-of-pocket losses suffered from a cyber-attack. Policies generally cover global losses, including direct losses suffered in the European Union under GDPR.

Coverage typically does not extend to more indirect losses, such as damage to reputation, costs to improve a system after an attack, or potential future lost profits as distinguished from business interruption loss. The more indirect or difficult to measure a loss is, the less likely it will be insured. Deductibles, caps and other limits, and unusual types of risks should be carefully reviewed before finalizing an insurance purchase.

Top tips for businesses considering cyber insurance:
-Have a top-to-bottom training program to help every individual avoid phishing and other incidents that lead to data breaches, ransomware attacks and other losses.
-Have a data response plan in place before it’s needed, ready to activate immediately when required.
-Think holistically. Preventing data attacks is not just a hardware problem. Review regularly measures to upgrade data protection, protect personal and proprietary data, and limit losses from data risks.

Show Notes

As businesses move into 2021, what insurance can they have to limit cyber risk? What does cyber insurance cover and not cover? How is it priced and secured? Data Privacy Detective guest Sean McGee is a Vice President of USI Insurance Services, an independent company serving global clientele and accessing global insurance markets. www.usi.com / Sean.McGee@usi.com . Also an Ohio and Kentucky attorney, at USI Sean advises customers on a broad array of business risks, including those arising from personal data collection and use. Cyber insurance emerged in 1997. Insurance Journal reported 2019 premiums of over $2.2 billion, spread among a competitive range of providers, with growth anticipated in number of policies, variety of risks covered, and premiums. As one example, the average payment for ransomware attacks jumped to almost $85,000 by year-end 2019, almost double the prior year’s average, triggering an adjustment of price for covering this type of risk. Cyber insurance pricing is competitive. It depends on a company’s responses to questionnaires that can be 20 pages in length and interviews with CIO’s and others. Underwriters assess the strength and scope of an applicant’s cyber protection program before quoting a premium. A solid cyber policy will generally cover direct costs resulting from a data breach or incident. These include attorney fees and other costs of defense, resolution of private and public claims, expenses to recover purloined data, business interruption (subject to defined caps and other details), and similar out-of-pocket losses suffered from a cyber-attack. Policies generally cover global losses, including direct losses suffered in the European Union under GDPR. Coverage typically does not extend to more indirect losses, such as damage to reputation, costs to improve a system after an attack, or potential future lost profits as distinguished from business interruption loss. The more indirect or difficult to measure a loss is, the less likely it will be insured. Deductibles, caps and other limits, and unusual types of risks should be carefully reviewed before finalizing an insurance purchase. Top tips for businesses considering cyber insurance: -Have a top-to-bottom training program to help every individual avoid phishing and other incidents that lead to data breaches, ransomware attacks and other losses. -Have a data response plan in place before it’s needed, ready to activate immediately when required. -Think holistically. Preventing data attacks is not just a hardware problem. Review regularly measures to upgrade data protection, protect personal and proprietary data, and limit losses from data risks.

What is Data Privacy Detective?

The internet in its blooming evolution makes personal data big business – for government, the private sector and denizens of the dark alike. The Data Privacy Detective explores how governments balance the interests of personal privacy with competing needs for public security, public health and other communal goods. It scans the globe for champions, villains, protectors and invaders of personal privacy and for the tools and technology used by individuals, business and government in the great competition between personal privacy and societal good order.

We’ll discuss how to guard our privacy by safeguarding the personal data we want to protect. We’ll aim to limit the access others can gain to your sensitive personal data while enjoying the convenience and power of smartphones, Facebook, Google, EBay, PayPal and thousands of devices and sites. We’ll explore how sinister forces seek to penetrate defenses to access data you don’t want them to have. We’ll discover how companies providing us services and devices collect, use and try to exploit or safeguard our personal data.

And we’ll keep up to date on how governments regulate personal data, including how they themselves create, use and disclose it in an effort to advance public goals in ways that vary dramatically from country to country. For the public good and personal privacy can be at odds. On one hand, governments try to deter terrorist incidents, theft, fraud and other criminal activity by accessing personal data, by collecting and analyzing health data to prevent and control disease and in other ways most people readily accept. On the other hand, many governments view personal privacy as a fundamental human right, with government as guardian of each citizen’s right to privacy. How authorities regulate data privacy is an ongoing balance of public and individual interests. We’ll report statutes, regulations, international agreements and court decisions that determine the balance in favor of one or more of the competing interests. And we’ll explore innovative efforts to transcend government control through blockchain and other technology.

If you have ideas for interviews or stories, please email info@thedataprivacydetective.com.